This commit introduces support for configuring mount propagation when
mounting volumes with the `volume_mount` stanza on Linux targets.

Similar to Kubernetes, we expose 3 options for configuring mount
propagation:

- private, which is equivalent to `rprivate` on Linux, which does not allow the
           container to see any new nested mounts after the chroot was created.

- host-to-task, which is equivalent to `rslave` on Linux, which allows new mounts
                that have been created _outside of the container_ to be visible
                inside the container after the chroot is created.

- bidirectional, which is equivalent to `rshared` on Linux, which allows both
                 the container to see new mounts created on the host, but
                 importantly _allows the container to create mounts that are
                 visible in other containers an don the host_

private and host-to-task are safe, but bidirectional mounts can be
dangerous, as if the code inside a container creates a mount, and does
not clean it up before tearing down the container, it can cause bad
things to happen inside the kernel.

To add a layer of safety here, we require that the user has ReadWrite
permissions on the volume before allowing bidirectional mounts, as a
defense in depth / validation case, although creating mounts should also require
a priviliged execution environment inside the container.

Fix upstreams docs link

Fix `volume_mount` attribute in the docs and formatting

The default ulimit for open files on macOS is really small (256),
which leads to "too many open files" errors during plugin launches if
you're running unit tests in `drivers/docker`. Recommend setting
`ulimit -n 1024`.

manage dev deps in vagrant

Allow dash in environment variable names

ci: ignore nested pkgs in GOTEST_PKGS_EXCLUDE

- In script checks, ensure we're running `Exec` against the new running
  allocation and not the earlier stopped one.
- In script checks, allow `Exec` calls to error due to lack of pty when
  we use the exec to kill the task.
- In `utils.go/RegisterAllocs`, force query for allocations to wait on
  wait index returned by registration call.

On macOS, `os.TempDir` returns a symlinked path under `/var` which is
outside of the directories shared into the VM used for Docker, and
that fails tests using Docker that need that mount. If we expand the
symlink to get the real path in `/private`, we're in the shared
folders and can safely mount them.

website: document Quota field in ns payloads

fix 'nomad namespace apply' help message

The auto-generation of TOC wasn’t working because the
“auto-linking header tags” described here doesn’t work
if the file isn’t Markdown:
https://github.com/hashicorp/middleman-hashicorp#auto-linking-header-tags

Named arguments need to preceed positional arguments.

website: Link to 0.10.0-beta1 release

Start of docs for group level service and network stanza.

docs: mention task field for checks

Docs: Added alloc_exec and alloc_node_exec capabilities

These were added in https://github.com/hashicorp/nomad/commit/4f7bd68f5ca9f330a894bfb4375b87f786e1e7a3

Tweak wording in changelog to match other entries.

docs: add more detail to connect stanzas

When multiple developers are working on e2e testing, it helps to be
able to identify which infrastructure belongs to which Nomad SHA and
which developer. This adds tags to the EC2 instances.